For example, I will configure CAPsMAN v2 on MikroTik PowerBox Pro with MikroTik cAP ac access points (RBcAPGi-5acD2nD), instead of PowerBox Pro you can use, for example, MikroTik hEX PoE (RB960PGS), they have 4 POE Out ports, you can connect 2 access points to one POE port, the recommended cable length is up to 80 m, so POE can power 8 access points, but you need a more powerful power supply than the one included, for example, I remember in the PowerBox Pro manual it says that at 24V 1A on the POE port, at 48V 0.5A, so you need a 24V 6A or 8A power supply. If there is not enough current for the access points, then they will reboot when, for example, the CPU is more loaded. Thanks to CAPsMAN, by changing the configuration of wireless interfaces on the main device, such as password, frequencies, etc., they are changed on all access points automatically.
I’ll start with something simple, configure access points, connect via Winbox, immediately open the System menu – Reset Configuration – mark only “CAPs Mode” and click Reset Configuration. After that, all settings will be reset, a bridge will be created, DHCP Client will be enabled on it, all interfaces will be added to this bridge, for wireless interfaces, Manager: capsman is specified, login admin without a password or with a password that is written on the sticker under the device.
On each access point I updated the firmware, pressed System – Packages, selected Channel: upgrade, for example updated the current 6.49.10 to 7.12.1, then after the update I opened System – Packages again, but with Channel: stable, updated from 7.12.1 to 7.16.1, then updated the device bootloader, opened System – RouterBoard – Upgrade, after that I rebooted System – Reboot. The firmware also needs to be updated on the main device with CAPsMAN.
On all access points, I opened System – Identity and changed the names, for example, cAP_ac1, cAP_ac2. Then I changed the password in System – Password. In IP – Services, for security purposes, I disabled unused services, such as api, api-ssl, ftp, telnet. In Files, I created a backup copy of the current configuration, in case someone resets the settings. All access points will receive an IP address from the main device with CAPsMAN, then, if desired, you can forward ports to them and change the settings, by default, there are no rules in the firewall of access points, so you do not need to open ports on them. If you need to reset the settings on the MikroTik cAP ac, this is done by turning off the power, pressing the reset button, turning on the power and releasing the reset button after 5 seconds.
See also my article: Port forwarding on Mikrotik
Now I’ll set up CAPsMAN on the main device, open the menu
Wireless – CAPsMAN – Security Cfg. + Add New
Authentication Type: WPA2 PSK
Encryption: aes ccm
Passphrase: …
Wireless – CAPsMAN – Channels + Add New
Name: 2GHz-N
Control Channel Width: 20Mhz
Band: 2ghz-onlyn
Name: 5GHz-N-AC
Control Channel Width: 20Mhz
Band: 5ghz-n/ac
Extension Channel: XXXX (disable – 20Mhz; XX, eC, Ce – 40Mhz; XXXX, eeeC, eeCe, eCee, Ceee – 80Mhz)
Wireless – CAPsMAN – Datapath + Add New
Name: datapath1
Bridge: bridge
Local Forwarding: + (traffic goes through the local bridge of the access point, not through the CAPsMAN bridge)
Client To Client Forwarding: + (allow L2 traffic between clients)
Wireless – CAPsMAN – Configurations + Add New
Name: cfg-2GHz-N
Mode: ap
SSID: ixnfo.com_2GHz
Channel: 2GHz-N
Band: 2ghz-onlyn
Datapath: datapath1
Security: sec1
Name: cfg-5GHz-N-AC
Mode: ap
SSID: ixnfo.com_5GHz
Channel: 5GHz-N-AC
Band: 5ghz-n/ac
Datapath: datapath1
Security: sec1
Provisioning + Add New
Radio MAC: 00:00:00:00:00:00
Hw. Supported Modes: gn
Action: create dynamic enabled
Master Configuration: cfg-2GHz-N
Name Format: prefix identity
Name Prefix: 2GHz
Radio MAC: 00:00:00:00:00:00
Hw. Supported Modes: ac
Action: create dynamic enabled
Master Configuration: cfg-5GHz-N-AC
Name Format: prefix identity
Name Prefix: 5GHz
Wireless – CAPsMAN – Cap Interface – Manager – Enabled
Wireless – CAPsMAN – Cap Interface – Manager – Interfaces – Add New
Interface: ether1 (which is for WAN)
Forbid+
Provisioning allows you to automatically create CAP interfaces, so you don’t need to add them manually as shown below, this completes the setup.
Wireless – CAPsMAN – Cap Interface + Add New
Name: cap2
Configuration: cfg-2GHz-N
Mode: ap
Channel: 2GHz-N
Datapath: datapath1
Security: sec1
Name: cap5
Configuration: cfg-5GHz-N-AC
Mode: ap
Channel: 2GHz-N-AC
Datapath: datapath1
Security: sec1
After changing the 5Ghz configuration, these frequencies start working after about half a minute due to the fact that the access point scans the frequency occupancy with radar and selects unoccupied frequencies.
I will also post part of the resulting configuration as an example:
[admin@RouterOS_PowerBoxPro] > export
# model = RB960PGS-PB
/caps-man channel
add band=2ghz-onlyn control-channel-width=20mhz name=2GHz-N
add band=5ghz-n/ac control-channel-width=20mhz extension-channel=XX name=5GHz-N-AC
/caps-man datapath
add bridge=bridge client-to-client-forwarding=yes local-forwarding=yes name=datapath1
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=security1
/caps-man configuration
add channel=2GHz-N channel.band=2ghz-onlyn datapath=datapath1 mode=ap name=cfg-2GHz-N security=security1 ssid=AP_2.4Ghz
add channel=5GHz-N-AC channel.band=5ghz-n/ac datapath=datapath1 mode=ap name=cfg-5GHz-N-AC security=security1 ssid=AP_5Ghz
/caps-man interface
add channel=2GHz-N configuration=cfg-2GHz-N configuration.mode=ap datapath=datapath1 disabled=no l2mtu=1600 mac-address=18:FD:74:63:87:8A master-interface=none name=cap2 radio-mac=18:FD:74:63:87:8A radio-name=18FD7463878A security=security1
add channel=5GHz-N-AC configuration=cfg-5GHz-N-AC configuration.mode=ap datapath=datapath1 disabled=no l2mtu=1600 mac-address=18:FD:74:63:87:8B master-interface=none name=cap5 radio-mac=18:FD:74:63:87:8B radio-name=18FD7463878B security=security1
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=cfg-2GHz-N name-format=prefix-identity name-prefix=2GHz
add action=create-dynamic-enabled hw-supported-modes=ac master-configuration=cfg-5GHz-N-AC name-format=prefix-identity name-prefix=5GHz
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input dst-port=80 protocol=tcp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=netmap chain=dstnat dst-port=81 in-interface=ether1 protocol=tcp to-addresses=192.168.88.251 to-ports=80
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system identity
set name=RouterOS_PowerBoxPro_ixnfo.com